MPLS Virtual Private Networks (VPNs)

Transcription

1 MPLS Virtual Private Networks (VPNs) The IP Virtual Private Network (VPN) feature for Multiprotocol Label Switching (MPLS) allows a Cisco IOS network to deploy scalable IPv4 Layer 3 VPN backbone services. An IP VPN is the foundation companies use for deploying or administering value-added services including applications and data hosting network commerce, and telephony services to business customers. In private LANs, IP-based intranets have fundamentally changed the way companies conduct their business. Companies are moving their business applications to their intranets to extend over a WAN. Companies are also embracing the needs of their customers, suppliers, and partners by using extranets (an intranet that encompasses multiple businesses). With extranets, companies reduce business process costs by facilitating supply-chain automation, electronic data interchange (EDI), and other forms of network commerce. To take advantage of this business opportunity, service providers must have an IP VPN infrastructure that delivers private network services to businesses over a public infrastructure. MPLS VPNs offer the following benefits: A platform for rapid deployment of additional value-added IP services, including intranets, extranets, voice, multimedia, and network commerce Privacy and security equal to that provided by Layer 2 VPNs by limiting the distribution of a VPN's routes to only those routers that are members of the VPN seamless integration with customer intranets Increased scalability over current VPN implementations, with thousands of sites per VPN and hundreds of thousands of VPNs per service provider IP class of service (CoS), with support for multiple classes of service and priorities within VPNs, as well as between VPNs Management of VPN membership and provisioning of new VPNs for rapid deployment Scalable any-to-any connectivity for extended intranets and extranets that encompass multiple businesses Feature History for MPLS Virtual Private Networks Feature History Release 12.0(5)T 12.0(21)ST Modification This feature was introduced. This feature was implemented on the Cisco Internet router and integrated into Cisco IOS Release 12.0(21)ST. Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA Copyright 2003 Cisco Systems, Inc. All rights reserved.

2 Contents MPLS Virtual Private Networks (VPNs) 12.0(22)S 12.0(23)S 12.2(13)T 12.2(14)S 12.0(26)S This feature was implemented on the Cisco series Internet Router on the following line cards: the 6E3-SMB and 12E3-SMB line cards, the 6-port channelized T3 (6CT3-SMB) line card, the OC-192c/STM-64c Packet-over-SONET (POS) line card, and the Quad OC-48c STM-16c POS line card and integrated into Cisco IOS Release 12.0(22)S. This feature was integrated into Cisco IOS Release 12.0(23)S. The ip route static inter-vrf command was introduced. This feature was implemented on the Cisco 7200 and Cisco 7500 series routers and integrated into Cisco IOS Release 12.2(13)T. Support was added for the ip route static inter-vrf command. This feature was integrated into Cisco IOS Release 12.2(14)S. Support was added for the sync keyword to the no ip vrf command. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Contents Prerequisites for MPLS Virtual Private Networks, page 2 Information About MPLS Virtual Private Networks, page 3 How to Configure MPLS Virtual Private Networks, page 8 Configuration Examples for MPLS Virtual Private Networks, page 20 Additional References, page 26 Command Reference, page 28 Glossary, page 63 Prerequisites for MPLS Virtual Private Networks Your network must be running the following Cisco IOS services before you configure Virtual Private Network (VPN) operation: Multiprotocol Label Switching (MPLS) in provider backbone routers, or generic routing encapsulation (GRE) tunnel connectivity among all provider edge (PE) routers MPLS with VPN code in provider routers with VPN edge service routers (PE routers) Border Gateway Protocol (BGP) in all routers providing a VPN service Cisco Express Forwarding (CEF) switching in every MPLS-enabled router CoS feature (optional) To effectively implement an IP VPN in your facility, ensure that your IP VPN meets the following basic requirements: 2

3 MPLS Virtual Private Networks (VPNs) Information About MPLS Virtual Private Networks Privacy All IP VPNs offer privacy over a shared (public) network infrastructure. Most companies use an encrypted tunnel. This is only one of several ways to provide network and data privacy. Scalability For proper service delivery, VPNs must scale to serve hundreds of thousands of sites and users. Besides being a managed service, VPNs are also a management tool for service providers to control access to services. One example is Closed User Groups for data and voice services. Flexibility IP VPNs must handle the any-to-any traffic patterns characteristic of corporate intranets and extranets, in which data no longer flows to and from a central location. VPNs must also have the inherent flexibility to add new sites quickly, connect users over different media, and meet the increasingly sophisticated transport and bandwidth requirements of new intranet applications. Predictable Performance Performance needs vary widely requiring different classes of service, but the common requirement is that the performance is predictable. Examples of the ranges of performance requirements include: Remote access for mobile users Require widespread connectivity Branch offices Require a sustained performance level because of the interactive nature of the intranet application in a branch office Video conferencing Require specific performance characteristics Information About MPLS Virtual Private Networks To configure MPLS Virtual Private Networks (VPNs), you need to understand the following concepts: Virtual Private Network Operation, page 3 MPLS Virtual Private Networks Basis for Value-Added Services, page 5 Virtual Private Network Operation Each Virtual Private Network (VPN) is associated with one or more VPN routing/forwarding instances (VRFs). A VRF defines the VPN membership of a customer site attached to a PE router. A VRF consists of an IP routing table, a derived Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters that control the information that is included into the routing table. A one-to-one relationship does not necessarily exist between customer sites and VPNs. A given site can be a member of multiple VPNs, as shown in Figure 2. However, a site can only associate with only one VRF. A customer site's VRF contains all the routes available to the site from the VPNs of which it is a member. Packet forwarding information is stored in the IP routing table and the CEF table for each VRF. A separate set of routing and CEF tables is maintained for each VRF. These tables prevent information from being forwarded outside a VPN, and also prevent packets that are outside a VPN from being forwarded to a router within the VPN. This section contains the following topics: VPN Route Target Communities, page 4 BGP Distribution of VPN Routing Information, page 4 MPLS Forwarding, page 4 3

4 Information About MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) VPN Route Target Communities The distribution of VPN routing information is controlled through the use of VPN route target communities, implemented by Border Gateway Protocol (BGP) extended communities. Distribution of VPN routing information works as follows: 1. When a VPN route learned from a CE router is injected into BGP, a list of VPN route target extended community attributes is associated with it. Typically the list of route target community values is set from an export list of route targets associated with the VRF from which the route was learned. 2. An import list of route target extended communities is associated with each VRF. The import list defines route target extended community attributes a route must have for the route to be imported into the VRF. For example, if the import list for a particular VRF includes route target communities A, B, and C, then any VPN route that carries any of those route target extended communities A, B, or C is imported into the VRF. BGP Distribution of VPN Routing Information MPLS Forwarding A service provider edge (PE) router can learn an IP prefix from a customer edge (CE) router by static configuration, through a BGP session with the CE router, or through the Routing Information Protocol (RIP) exchange with the CE router. The IP prefix is a member of the IPv4 address family. After it learns the IP prefix, the PE converts it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher (RD). The generated prefix is a member of the VPN-IPv4 address family. It serves to uniquely identify the customer address, even if the customer site is using globally nonunique (unregistered private) IP addresses. The route distinguisher used to generate the VPN-IPv4 prefix is specified by a configuration command associated with the VRF on the PE router. BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication takes place at two levels: within IP domains, known as an autonomous systems (interior BGP, or IBGP) and between autonomous systems (external BGP, or EBGP). PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and PE-CE sessions are EBGP sessions. BGP propagates reachability information for VPN-IPv4 prefixes among PE routers by means of the BGP multiprotocol extensions (refer to RFC 2283, Multiprotocol Extensions for BGP-4) which define support for address families other than IPv4. It does this in a way that ensures that the routes for a given VPN are learned only by other members of that VPN, enabling members of the VPN to communicate with each other. Based on routing information stored in the VRF IP routing table and VRF CEF table, packets are forwarded to their destination using MPLS. A PE router binds a label to each customer prefix learned from a CE router and includes the label in the network reachability information for the prefix that it advertises to other PE routers. When a PE router forwards a packet received from a CE router across the provider network, it labels the packet with the label learned from the destination PE router. When the destination PE router receives the labeled packet, it pops the label and uses it to direct the packet to the correct CE router. Label forwarding across the provider backbone is based on either dynamic label switching or traffic engineered paths. A customer data packet carries two levels of labels when traversing the backbone: 1. Top label directs the packet to the correct PE router. 2. Second label indicates how that PE router should forward the packet to the CE router. 4

5 MPLS Virtual Private Networks (VPNs) Information About MPLS Virtual Private Networks MPLS Virtual Private Networks Basis for Value-Added Services MPLS VPNs allow service providers to deploy scalable VPNs and build the foundation to deliver value-added services, including: Connectionless Service A significant technical advantage of MPLS VPNs is that they are connectionless. The Internet owes its success to its basic technology, TCP/IP. TCP/IP is built on packet-based, connectionless network paradigm. This means that no prior action is necessary to establish communication between hosts, making it easy for two parties to communicate. To establish privacy in a connectionless IP environment, current VPN solutions impose a connection-oriented, point-to-point overlay on the network. Even if it runs over a connectionless network, a VPN cannot take advantage of the ease of connectivity and multiple services available in connectionless networks. When you create a connectionless VPN, you do not need tunnels and encryption for network privacy, thus eliminating significant complexity. Centralized Service Building VPNs in Layer 3 allows delivery of targeted services to a group of users represented by a VPN. A VPN must give service providers more than a mechanism for privately connecting users to intranet services. It must also provide a way to flexibly deliver value-added services to targeted customers. Scalability is critical, because customers want to use services privately in their intranets and extranets. Because MPLS VPNs are seen as private intranets, you may use new IP services such as: Multicast Quality of service (QoS) Telephony support within a VPN Centralized services including content and web hosting to a VPN You can customize several combinations of specialized services for individual customers. For example, a service that combines IP multicast with a low-latency service class enables video conferencing within an intranet. Scalability If you create a VPN using connection-oriented, point-to-point overlays, Frame Relay, or ATM virtual connections (VCs), the VPN's key deficiency is scalability. Specifically, connection-oriented VPNs without fully meshed connections between customer sites are not optimal. MPLS-based VPNs instead use the peer model and Layer 3 connectionless architecture to leverage a highly scalable VPN solution. The peer model requires a customer site to peer with only one PE router as opposed to all other CPE or customer edge (CE) routers that are members of the VPN. The connectionless architecture allows the creation of VPNs in Layer 3, eliminating the need for tunnels or VCs. Other scalability issues of MPLS VPNs are due to the partitioning of VPN routes between PE routers and the further partitioning of VPN and Interior Gateway Protocol (IGP) routes between PE routers and provider (P) routers in a core network. PE routers must maintain VPN routes for those VPNs who are members. P routers do not maintain any VPN routes. MPLS-based VPNs increase the scalability of the provider's core and ensures that no one device is a scalability bottleneck. 5

6 Information About MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) Security MPLS VPNs offer the same level of security as connection-oriented VPNs. Packets from one VPN do not inadvertently go to another VPN. Security is provided in the following areas: At the edge of a provider network, ensuring packets received from a customer are placed on the correct VPN. At the backbone, VPN traffic is kept separate. Malicious spoofing (an attempt to gain access to a PE router) is nearly impossible because the packets received from customers are IP packets. These IP packets must be received on a particular interface or subinterface to be uniquely identified with a VPN label. Easy to Create To take full advantage of VPNs, it must be easy for customers to create new VPNs and user communities. Because MPLS VPNs are connectionless, no specific point-to-point connection maps or topologies are required. You can add sites to intranets and extranets and form closed user groups. When you manage VPNs in this manner, it enables membership of any given site in multiple VPNs, maximizing flexibility in building intranets and extranets. Flexible Addressing To make a VPN service more accessible, customers of a service provider can design their own addressing plan, independent of addressing plans for other service provider customers. Many customers use private address spaces, as defined in RFC 1918, and do not want to invest the time and expense of converting to public IP addresses to enable intranet connectivity. MPLS VPNs allow customers to continue to use their present address spaces without network address translation (NAT) by providing a public and private view of the address. A NAT is required only if two VPNs with overlapping address spaces want to communicate. This enables customers to use their own unregistered private addresses, and communicate freely across a public IP network. Integrated Class of Service (CoS) Support CoS is an important requirement for many IP VPN customers. It provides the ability to address two fundamental VPN requirements: Predictable performance and policy implementation Support for multiple levels of service in an MPLS VPN Network traffic is classified and labeled at the edge of the network before traffic is aggregated according to policies defined by subscribers and implemented by the provider and transported across the provider core. Traffic at the edge and core of the network can then be differentiated into different classes by drop probability or delay. Straightforward Migration For service providers to quickly deploy VPN services, use a straightforward migration path. MPLS VPNs are unique because you can build them over multiple network architectures, including IP, ATM, Frame Relay, and hybrid networks. Migration for the end customer is simplified because there is no requirement to support MPLS on the CE router and no modifications are required to a customer's intranet. Figure 1 shows an example of a VPN with a service provider (P) backbone network, service provider edge routers (PE), and customer edge routers (CE). 6

7 MPLS Virtual Private Networks (VPNs) Information About MPLS Virtual Private Networks Figure 1 VPNs with a Service Provider Backbone VPN 1 VPN 2 Site 1 PE Service provider backbone Site 1 P P CE PE CE Site 2 P P PE CE VPN 1 Site 2 CE A VPN contains customer devices attached to the CE routers. These customer devices use VPNs to exchange information between devices. Only the PE routers are aware of the VPNs. Figure 2 shows five customer sites communicating within three VPNs. The VPNs can communicate with the following sites: VPN 1 sites 2 and 4 VPN 2 sites 1, 3, and 4 VPN 3 sites 1, 3, and 5 Figure 2 Customer Sites within VPNs Site 2 VPN1 Site 4 VPN2 Site 1 VPN3 Site 3 Site

8 How to Configure MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) How to Configure MPLS Virtual Private Networks This section contains the following procedures to configure and verify MPLS Virtual Private Networks: Defining a Virtual Private Network Routing/Forwarding Instance on PE Router, page 8 (required) Configuring Border Gateway Protocol PE-to-PE or PE-to-CE Routing Sessions, page 10 (required) Configuring Routing Information Protocol PE-to-CE Routing Sessions, page 11 (required) Configuring Static Route PE-to-CE Routing Sessions, page 14 (required) Verifying Virtual Private Network Operation, page 16 (optional) Deleting a Virtual Private Network Routing/Forwarding Instance, page 18 (optional) Defining a Virtual Private Network Routing/Forwarding Instance on PE Router SUMMARY STEPS DETAILED STEPS Perform this task to define a Virtual Private Network (VPN) routing/forwarding instance (VRF) on a provider edge (PE) router. 1. enable 2. configure terminal 3. ip vrf vrf-name 4. rd route-distinguisher 5. route-target {import export both} route-target-ext-community 6. import map route-map 7. exit 8. interface type slot/port-adapter/port [ethernet serial] 9. ip vrf forwarding vrf-name 10. end Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Router# configure terminal 8

9 MPLS Virtual Private Networks (VPNs) How to Configure MPLS Virtual Private Networks Step 3 Step 4 Step 5 Step 6 Step 7 Command or Action ip vrf vrf-name Router(config)# ip vrf vrf1 rd route-distinguisher Router(config-vrf)# rd 100:1 route-target {import export both} route-target-ext-community Router(config-vrf)# route-target import 100:1 import map route-map Router(config-vrf)# import map vrf2-import exit Purpose Configures a VRF routing table. The vrf-name argument is the name assigned to a VRF. Creates routing and forwarding tables for a VRF. The route-distinguisher argument adds an 8-byte value to an IPv4 prefix to create a VPN-IPv4 prefix. Creates a route-target extended community for a VRF. The import keyword imports routing information from the target VPN extended community. The export keyword exports routing information to the target VPN extended community. The both keyword imports both import and export routing information to the target VPN extended community. The route-target-ext-community argument adds the route-target extended community attributes to the VRF's list of import, export, or both (import and export) route-target extended communities. (Optional) Configures an import route map for a VRF. The route-map argument specifies the route map to be used as an import route map for the VRF. Exits to global configuration mode. Step 8 Router(config-vrf)# exit interface type slot/port-adapter/port [ethernet serial] Router(config)# interface ethernet5/0/1 Configures an interface type and enters interface configuration mode. The type argument is the type of interface to be configured. The slot argument is the number of the slot being configured. The port-adapter argument is the number of the port-adapter being configured. The port argument is the number of the port being configured. The ethernet keyword indicates an Ethernet IEEE interface. The serial keyword indicates a serial interface. 9

10 How to Configure MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) Step 9 Step 10 Command or Action ip vrf forwarding vrf-name Router(config-if)# ip vrf forwarding vrf1 end Purpose Associates a VRF with an interface or subinterface. The vrf-name argument is the name assigned to a VRF. Exits to privileged EXEC mode. Router(config-if)# end Troubleshooting Tips Enter a show ip vrf detail command and make sure the MPLS VPN is up and associated with the right interfaces. Configuring Border Gateway Protocol PE-to-PE or PE-to-CE Routing Sessions SUMMARY STEPS DETAILED STEPS Perform this task to configure a Border Gateway Protocol (BGP) provider edge (PE)-to-PE or a PE-to-customer edge (CE) routing session in a provider network. 1. enable 2. configure terminal 3. router bgp as-number 4. neighbor {ip-address peer-group-name} remote-as as-number 5. neighbor {ip-address peer-group-name} activate 6. end Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Router# configure terminal 10

11 MPLS Virtual Private Networks (VPNs) How to Configure MPLS Virtual Private Networks Step 3 Step 4 Step 5 Step 6 Command or Action router bgp as-number Router(config)# router bgp 1 neighbor {ip-address peer-group-name} remote-as as-number Router(config-router)# neighbor remote-as 1 neighbor {ip-address peer-group-name} activate Router(config-router)# neighbor activate end Purpose Configures a BGP routing process and enters router configuration mode. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. Valid numbers are from 0 to Private autonomous system numbers that can be used in internal networks range from to Adds an entry to the BGP or multiprotocol BGP neighbor table. The ip-address argument specifies the IP address of the neighbor. The peer-group-name specifies the name of a BGP peer group. The as-number specifies the autonomous system to which the neighbor belongs. Enables the exchange of information with a neighboring BGP router. The ip-address argument specifies the IP address of the neighbor. The peer-group-name specifies the name of a BGP peer group. (Optional) Exits to privileged EXEC mode. Router(config-router)# end Troubleshooting Tips You can enter a show ip bgp neighbor command to verify that the neighbors are up and running. If this command is not successful, enter a debug ip bgp x.x.x.x events command, where x.x.x.x is the IP address of the neighbor. Configuring Routing Information Protocol PE-to-CE Routing Sessions SUMMARY STEPS Perform this task to configure a Routing Information Protocol (RIP) provider edge (PE)-to-customer edge (CE) routing session. 1. enable 2. configure terminal 3. router rip 11

12 How to Configure MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) 4. network ip-address 5. address-family ipv4 [multicast unicast vrf vrf-name] 6. exit-address-family 7. end DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Router# configure terminal router rip Configure a RIP routing process. Step 4 Step 5 Router(config)# router rip network ip-address Router(config-router)# network address-family ipv4 [multicast unicast vrf vrf-name] Router(config-router)# address-family vrf vrf1 Specifies a list of networks for the RIP routing process. The ip-address argument specifies an IP address of the network of directly connected networks. Enters address family configuration mode for configuring routing sessions such as BGP that use standard IPv4 address prefixes. (Optional) The multicast keyword specifies IPv4 multicast address prefixes. (Optional) The unicast keyword specifies IPv4 unicast address prefixes. (Optional) The vrf vrf-name keyword argument combination specifies the name of the VRF to associate with subsequent IPv4 address family configuration mode commands. Note The default is Off for auto-summary and synchronization in the VRF address-family submode. 12

13 MPLS Virtual Private Networks (VPNs) How to Configure MPLS Virtual Private Networks Step 6 Command or Action exit-address-family Purpose Exits address family configuration mode. Step 7 Router(config-router-af)# exit-address-family end (Optional) Exits to privileged EXEC mode. Router(config-router)# end 13

14 How to Configure MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) Configuring Static Route PE-to-CE Routing Sessions SUMMARY STEPS DETAILED STEPS Perform this task to configure static route provider edge (PE)-to-customer edge (CE) routing sessions. 1. enable 2. configure terminal 3. ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}] [global] [distance] [permanent] [tag tag] 4. address-family ipv4 [multicast unicast vrf vrf-name] 5. redistribute protocol 6. exit-address-family 7. end Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Router# configure terminal 14

15 MPLS Virtual Private Networks (VPNs) How to Configure MPLS Virtual Private Networks Step 3 Step 4 Command or Action ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}] [global] [distance] [permanent] [tag tag] Router(config)# ip route vrf vrf e5/0/ address-family ipv4 [multicast unicast vrf vrf-name] Router(config-router)# address-family vrf vrf1 Purpose Establishes static routes for a VRF. The vrf-name argument is the name of the VRF for the static route. The prefix argument specifies the IP route prefix for the destination, in dotted-decimal format. The mask argument specifies the prefix mask for the destination, in dotted-decimal format. (Optional) The next-hop-address argument specifies the IP address of the next hop (the forwarding router that can be used to reach that network). (Optional) The interface argument specifies the type of network interface to use: ATM, Ethernet, loopback, POS (packet over SONET), or null. (Optional) The interface-number argument specifies the number identifying the network interface to use. (Optional) The global keyword specifies that the given next hop address is in the non-vrf routing table. (Optional) The distance argument specifies an administrative distance for this route. (Optional) The permanent keyword specifies that this route will not be removed, even if the interface shuts down. (Optional) The tag tag keyword argument combination species the label (tag) value that can be used for controlling redistribution of routes through route maps. Enters address family configuration mode for configuring routing sessions such as BGP that use standard IPv4 address prefixes. (Optional) The multicast keyword specifies IPv4 multicast address prefixes. (Optional) The unicast keyword specifies IPv4 unicast address prefixes. (Optional) The vrf vrf-name keyword argument combination specifies the name of the VRF to associate with subsequent IPv4 address family configuration mode commands. Note The default is Off for auto-summary and synchronization in the VRF address-family submode. 15

16 How to Configure MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) Step 5 Step 6 Command or Action redistribute protocol Router(config-router-af)# redistribute static Router(config-router-af)# redistribute connected exit-address-family Purpose Redistributes routes from one routing domain into another routing domain. The protocol argument specifies the source protocol from which routes are being redistributed. It can be one of the following keywords: bgp, connected, egp, igrp, isis, mobile, ospf, static [ip], or rip. The static [ip] keyword is used to redistribute IP static routes. The optional ip keyword is used when redistributing into the IS-IS protocol. The connected keyword refers to routes that are established automatically by virtue of having enabled IP on an interface. For routing protocols such as OSPF and IS-IS, these routes will be redistributed as external to the autonomous system. Exits address family configuration mode. Step 7 Router(config-router-af)# exit-address-family end (Optional) Exits to privileged EXEC mode. Router(config-router)# end Verifying Virtual Private Network Operation SUMMARY STEPS Perform this task to verify Virtual Private Network (VPN) operation. 1. enable 2. show ip vrf [{brief detail interfaces}] [vrf-name] [output-modifiers]} 3. show ip route vrf vrf-name [connected] [protocol [as-number] [tag] [output-modifiers]] [list number [output-modifiers]] [profile] [static [output-modifiers]] [summary [output-modifiers]] [supernets-only [output-modifiers]] [traffic-engineering [output-modifiers]] 4. show ip protocols vrf vrf-name 5. show ip cef vrf vrf-name [ip-prefix [mask [longer-prefixes]] [detail] [output-modifiers]] [interface interface-number] [adjacency [interface interface-number] [detail] [discard] [drop] [glean] [null] [punt] [output-modifiers]] [detail [output-modifiers]] [non-recursive [detail] [output-modifiers]] [summary [output-modifiers]] [traffic [prefix-length] [output-modifiers]] [unresolved [detail] [output-modifiers]] 6. show ip bgp vpnv4 {all rd route-distinguisher vrf vrf-name} [summary] [labels] 7. show mpls forwarding vrf vrf-name [ip-prefix/length [mask]] [detail] [output-modifiers] 8. disable 16

17 MPLS Virtual Private Networks (VPNs) How to Configure MPLS Virtual Private Networks DETAILED STEPS Step 1 Step 2 Step 3 Command or Action enable Router> enable show ip vrf [{brief detail interfaces}] [vrf-name] [output-modifiers] Router# show ip vrf Router# show ip vrf interfaces show ip route vrf vrf-name [connected] [protocol [as-number] [tag] [output-modifiers]] [list number [output-modifiers]] [profile] [static [output-modifiers]] [summary [output-modifiers]] [supernets-only [output-modifiers]] [traffic-engineering [output-modifiers]] Purpose Enables privileged EXEC mode. Enter your password if prompted. (Optional) Displays the set of defined VRFs and associated interfaces. Use the show ip vrf command to display the VRFs and associated interfaces. Use the show ip vrf interfaces command to display details about the interfaces assigned to a VRF. (Optional) Displays the IP routing table associated with a VRF. Use the show ip route vrf command to verify that router PE1 learns routes from router CE2. Step 4 Router# show ip route vrf vpn1 show ip protocols vrf vrf-name Router# show ip protocols vrf vpn2 (Optional) Displays the routing protocol information associated with a VRF. Use the show ip protocols vrf command to check the VRF routing protocol information for PE routers. Step 5 show ip cef vrf vrf-name [ip-prefix [mask [longer-prefixes]] [detail] [output-modifiers]] [interface interface-number] [adjacency [interface interface-number] [detail] [discard] [drop] [glean] [null] [punt] [output-modifiers]] [detail [output-modifiers]] [non-recursive [detail] [output-modifiers]] [summary [output-modifiers]] [traffic [prefix-length] [output-modifiers]] [unresolved [detail] [output-modifiers]] (Optional) Displays the CEF forwarding table associated with a VRF. Use the show ip cef vrf command to check the VRF CEF forwarding table on the PE routers. Router# show ip cef vrf vpn1 17

18 How to Configure MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) Step 6 Step 7 Step 8 Command or Action show ip bgp vpnv4 {all rd route-distinguisher vrf vrf-name} [summary] [labels] Router# show ip bgp vpnv4 all Router# show ip bgp vpnv4 vrf vpn1 labels show mpls forwarding vrf vrf-name [ip-prefix/length [mask]] [detail] [output-modifiers] Router# show mpls forwarding vrf vpn details disable Purpose (Optional) Displays VPN address information from the BGP table. Use the show ip bgp vpnv4 all command to check that the BGP session is up and running between the PE and the CE routers. Use the show ip bgp vpnv4 vrf vrf-name labels command to check that the prefixes for the provider network are in the BGP table and have the appropriate labels. (Optional) Displays label forwarding information for advertised VRF routes. Use the show mpls forwarding vrf command with the detail keyword to check that the prefixes for the PE routers in the local customer MPLS VPN service provider are in the label forwarding information base (LFIB). Exits to user EXEC mode. Router# disable Deleting a Virtual Private Network Routing/Forwarding Instance Perform this task to delete a Virtual Private Network (VPN) routing/forwarding instance (VRF) from the router. Virtual Private Network Routing/Forwarding Instance Deletion SUMMARY STEPS When you enter the no ip vrf vrf-name command, you start the deletion of a specified VRFs. Routers delete VRFs using a background process that frees all resources associated with the VRF. If you enter the no ip vrf command without the optional sync keyword, the command line interface (CLI) prompt returns immediately. This allows you to enter other commands while the VRF deletion process is still in progress. Any new configuration of a VRF with the same name as the VRF you deleted could get deleted and lost when the VRF resources are freed by the background process. You can verify that the specified VRF is deleted by looking at the display of a show ip vrf command. If an asterisk (*) precedes the name of the VRF you deleted, then the background process has not completed (see Deleting a Virtual Private Network Routing/Forwarding Instance Examples section on page 24). If you enter the no ip vrf command with the sync keyword, the router does not return the CLI prompt until the VRF deletion process is completed. This stops you from entering any commands to ensure that no new VRF configuration is lost. An informational message is displayed as the background process completes the deletion. 1. enable 18

19 MPLS Virtual Private Networks (VPNs) How to Configure MPLS Virtual Private Networks 2. configure terminal 3. no ip vrf vrf-name [sync} 4. end DETAILED STEPS Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Router# configure terminal no ip vrf vrf-name [sync] Router(config)# no ip vrf vpn1 sync end Removes a VRF routing table. The vrf-name argument is the name assigned to a VRF. The sync keyword blocks the CLI prompt from returning until the VRF deletion process is completed. Without the sync keyword, the CLI prompt returns immediately allowing you to enter new commands before the deletion process is completed. Returns to privileged EXEC mode. Router(config)# end Troubleshooting Tips If you entered the no ip vrf command without the sync keyword, you can use the show ip vrf command to verify that the specified VRF is removed. An asterisk (*) before the VRF name in the command output indicates that the background process did not complete. You can reconfigure a VRF using the name of the deleted VRF without the loss of configuration data after background processes completely remove the resources associated with the specified VRF from the router. 19

20 Configuration Examples for MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) Configuration Examples for MPLS Virtual Private Networks This section contains the following configuration examples for the MPLS Virtual Private Networks feature: Sample MPLS VPN Configuration File from a PE Router, page 20 Defining VPN Routing Instance on PE Router Example, page 21 Configuring BGP PE-to-PE or PE-to-CE Routing Sessions Examples, page 22 Configuring RIP PE-to-CE Routing Sessions Example, page 22 Configuring Static Route PE-to-CE Routing Sessions Example, page 23 Verifying VPN Operation Examples, page 23 Deleting a Virtual Private Network Routing/Forwarding Instance Examples, page 24 Sample MPLS VPN Configuration File from a PE Router This section provides a sample configuration file from a PE router. ip cef distributed! CEF switching is pre-requisite for label Switching frame-relay switching! ip vrf vrf1! Define VPN Routing instance vrf1 rd 100:1 route-target both 100:1! Configure import and export route-targets for vrf1! ip vrf vrf2! Define VPN Routing instance vrf2 rd 100:2 route-target both 100:2! Configure import and export route-targets for vrf2 route-target import 100:1! Configure an additional import route-target for vrf2 import map vrf2_import! Configure import route-map for vrf2! interface lo0 ip address ! interface atm9/0/0! Backbone link to another Provider router! interface atm9/0/0.1 tag-switching ip unnumbered loopback0 no ip directed-broadcast mpls atm vpi 2-5 mpls ip interface atm5/0 no ip address no ip directed-broadcast atm clock INTERNAL no atm ilmi-keepalive interface Ethernet1/0 ip address no ip directed-broadcast no ip mroute-cache no keepalive interface Ethernet5/0/1 ip vrf forwarding vrf1 ip address ! Set up Ethernet interface! as VRF link to a CE router 20

21 MPLS Virtual Private Networks (VPNs) Configuration Examples for MPLS Virtual Private Networks! interface hssi 10/1/0 hssi internal-clock encaps fr frame-relay intf-type dce frame-relay lmi-type ansi! interface hssi 10/1/0.16 point-to-point ip vrf forwarding vrf2 ip address frame-relay interface-dlci 16! Set up Frame Relay PVC!! subinterface as link to another!! CE router! router bgp 1! Configure BGP sessions no synchronization no bgp default ipv4-activate! Deactivate default IPv4 advertisements neighbor remote-as 1! Define IBGP session with another PE neighbor update-source lo0! address-family vpnv4 unicast! Activate PE exchange of VPNv4 NLRI neighbor activate exit-address-family! address-family ipv4 unicast vrf vrf1! Define BGP PE-CE session for vrf1 redistribute static redistribute connected neighbor remote-as neighbor activate no auto-summary exit-address-family! address-family ipv4 unicast vrf vrf2! Define BGP PE-CE session for vrf2 redistribute static redistribute connected neighbor remote-as neighbor update-source h10/1/0.16 neighbor activate no auto-summary exit-address-family!! Define a VRF static route ip route vrf vrf e5/0/ ! route-map vrf2_import permit 10! Define import route-map for vrf2.... Defining VPN Routing Instance on PE Router Example This example shows the configuration of VPN routing instances on a PE router: ip cef distributed frame-relay switching! ip vrf vrf1 rd 100:1 route-target both 100:1! ip vrf vrf2 rd 100:2! CEF switching is pre-requisite for label Switching! Define VPN Routing instance vrf1! Configure import and export route-targets for vrf1! Define VPN Routing instance vrf2 21

22 Configuration Examples for MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) route-target both 100:2! Configure import and export route-targets for vrf2 route-target import 100:1! Configure an additional import route-target for vrf2 import map vrf2_import! Configure import route-map for vrf2! Configuring BGP PE-to-PE or PE-to-CE Routing Sessions Examples This example shows the configuration of a BGP PE-to-PE routing session: router bgp 1 no synchronization no bgp default ipv4-activate neighbor remote-as 1 neighbor update-source lo0! address-family vpnv4 unicast neighbor activate exit-address-family!! Configure BGP sessions! Deactivate default IPv4 advertisements! Define IBGP session with another PE! Activate PE exchange of VPNv4 NLRI This example shows the configuration of a BGP PE-to-CE session for vrf1: address-family ipv4 unicast vrf vrf1 redistribute static redistribute connected neighbor remote-as neighbor activate no auto-summary exit-address-family!! Define BGP PE-CE session for vrf1 This example shows the configuration of a BGP PE-to-CE session for vrf2: address-family ipv4 unicast vrf vrf2! Define BGP PE-CE session for vrf2 redistribute static redistribute connected neighbor remote-as neighbor update-source h10/1/0.16 neighbor activate no auto-summary exit-address-family! Configuring RIP PE-to-CE Routing Sessions Example This example shows the configuration of a RIP PE-to-CE routing session for vrf1: router rip version 2! address-family ipv4 vrf vrf1 version 2 redistribute bgp 1 metric 0 network no auto-summary exit-address-family 22

23 MPLS Virtual Private Networks (VPNs) Configuration Examples for MPLS Virtual Private Networks Configuring Static Route PE-to-CE Routing Sessions Example This example shows the configuration of a static routing session between a PE and CE router: ip route vrf vrf e5/0/ ! route-map vrf2_import permit 10! Define import route-map for vrf2.... Verifying VPN Operation Examples The output of the show ip vrf command shows the VRFs currently configured: Router# show ip vrf Name Default RD Interfaces vrf1 100:1 Ethernet1/3 vrf2 100:2 Ethernet0/3 The output of the show ip vrf interfaces command shows the interfaces bound to a particular VRF: Router# show ip vrf interfaces Interface IP-Address VRF Protocol Ethernet blue_vrf up Ethernet hub up router# The output of the show ip route vrf vpn1 command shows the IP routing table associated with the VRF called vpn1: Router# show ip route vrf vpn1 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR T - traffic engineered route Gateway of last resort is not set B /8 [200/0] via , 00:24:19 C /8 is directly connected, Ethernet1/3 B /8 [20/0] via , 02:10:22 B /8 [200/0] via , 00:24:20 The output of the show ip route vrf vpn2 command displays information about a VRF called vpn2: Router# show ip protocols vrf vpn2 Routing Protocol is "bgp 100" Sending updates every 60 seconds, next due in 0 sec Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is IGP synchronization is disabled Automatic route summarization is disabled Redistributing:connected, static Routing for Networks: Routing Information Sources: Gateway Distance Last Update 23

24 Configuration Examples for MPLS Virtual Private Networks MPLS Virtual Private Networks (VPNs) :20: :26:15 Distance:external 20 internal 200 local 200 The output of the show ip cef vrf vpn1 command shows the forwarding table associated with the VRF called vpn1: Router# show ip cef vrf vpn1 Prefix Next Hop Interface /32 receive / Ethernet1/ / POS6/ /8 attached Ethernet1/ /32 receive / Ethernet1/ /32 receive /32 receive / POS6/ /24 receive /32 receive The output of the show ip bgp vpnv4 all command shows all VPNv4 information in a BGP routing table: Router# show ip bgp vpnv4 all BGP table version is 18, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 vrf1 *> i *>i i *> i *>i i Deleting a Virtual Private Network Routing/Forwarding Instance Examples The following example shows the removal of a VRF with the sync keyword that blocks the return of the command prompt until the process is completed: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# no ip vrf vpn5? sync Return after completing VRF delete <cr> Router(config)# no ip vrf vpn5 sync % IP addresses from all interfaces in VRF vpn5 have been removed Router(config)# end 24

25 MPLS Virtual Private Networks (VPNs) Configuration Examples for MPLS Virtual Private Networks The following example shows the VRF configuration on the router before entering the no ip vrf vpn5 sync command: Router# show ip vrf Name Default RD Interfaces forw <not set> mgmt 200:1 vpn5 500:1 Ethernet1/4 vpn6 600:1 Ethernet1/6 The following example shows the VRF configuration on the router after entering the no ip vrf vpn5 sync command: Router# show ip vrf Name Default RD Interfaces forw <not set> mgmt 200:1 vpn6 600:1 Ethernet1/6 The following example shows the removal of a VRF without a prompt blocking option: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# no ip vrf vpn6 % IP addresses from all interfaces in VRF vpn6 have been removed Router(config)# end 00:03:34: %OSPF-5-ADJCHG: Process 66, Nbr on Ethernet1/6 from FULL to DOWN, Neighbor Down: Interface down or detached The following example shows the VRF is in the process of being deleted: Router# show ip vrf Name Default RD Interfaces forw <not set> mgmt 200:1 * vpn6 600:1 * Being deleted Router# 00:03:35: %SYS-5-CONFIG_I: Configured from console by console The following example shows reconfiguring a VRF using the same name (vpn6) as the VRF just deleted: Router# ip vrf vpn6 Router(config-vrf)# rd 600:1 Router(config-vrf)# route-target both 600:1 Router(config-vrf)# route-target import 600:2 The following example shows configuration lost as a result of entering commands before the deletion process is completed: Router# show ip vrf Name Default RD Interfaces forw <not set> mgmt 200:1 25

26 Additional References MPLS Virtual Private Networks (VPNs) Additional References The following sections provide references related to MPLS VPNs: Related Documents, page 26 Standards, page 26 MIBs, page 27 RFCs, page 27 Technical Assistance, page 27 Related Documents Related Topic Enhanced MPLS VPN traffic management configuration tasks MPLS CoS definition and configuration tasks MPLS CoS enhancement configuration tasks MPLS forwarding configuration tasks MPLS Label Distribution Protocol (LDP) configuration tasks BGP configuration tasks OSPF configuration tasks IS-IS configuration tasks Document Title MPLS Virtual Private Network Enhancements MPLS Class of Service (CoS) MPLS Class of Service Enhancements Multiprotocol Label Switching (MPLS) on Cisco Routers MPLS Label Distribution Protocol (LDP) Configuring BGP chapter in the Cisco IOS IP Configuration Guide, Release 12.2 Configuring OSFP chapter in the Cisco IOS IP Configuration Guide, Release 12.2, IP Routing Protocols Configuring Integrated IS-IS chapter in the Cisco IOS IP Configuration Guide, Release 12.2, IP Routing Protocols Standards Standards No new standards or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title 26

27 MPLS Virtual Private Networks (VPNs) Additional References MIBs MIBs No new MIBs or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: RFCs RFCs RFC 1163 RFC 1164 RFC 2283 RFC 2547 Title A Border Gateway Protocol Application of the Border Gateway Protocol in the Internet Multiprotocol Extensions for BGP-4 BGP/MPLS VPNs Technical Assistance Description Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Link 27

28 Command Reference MPLS Virtual Private Networks (VPNs) Command Reference This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command references. address-family clear ip route vrf debug ip bgp exit-address-family import map ip route static inter-vrf ip route vrf ip vrf ip vrf forwarding neighbor activate rd route-target show ip bgp vpnv4 show ip cef vrf show ip protocols vrf show ip route vrf show ip vrf show mpls forwarding vrf 28